Summary:
The AI & GDPR MONTHLY UPDATE discusses the new provisions of the AI Act, court opinions regarding GDPR, and developments in AI regulations across the EU, including compensation rulings, DPA opinions, and insights from the AI Action summit.
Original Link:
Original Article:
Welcome to another edition of the AI & GDPR MONTHLY UPDATE, bringing you the latest insights into artificial intelligence and data protection. We’ll cover new AI regulations, opinions, court and authority decisions across the EU, and the latest use cases in AI implementation. Our AI & GDPR MONTHLY UPDATE lands in your inbox every month.
AI Act and AI Liability Directive
The first provisions of AI Act have entered into force. As of 2 February 2025, providers and deployers must ensure sufficient level of AI literacy (Chapter I) and refrain from any prohibited AI practices featured in the blacklist of banned AI use cases (Chapter II).
The European Commission announced its intention to withdraw the ePrivacy Regulation and AI Liability Directive drafts. According to the Commission, an agreement on the drafts is not expected anytime soon. It will therefore assess whether to present an entirely new proposal or choose an alternative approach.
The first preliminary questions regarding the AI Act were submitted to the CJEU. The Bulgarian court seeks to ascertain the extent of information that a consumer may request about automated generation of invoices including the algorithms and parameters used under Art. 86 of the AI Act.
AI and GDPR cases
CJEU First Advocate General Maciej Szpunar issued a key opinion in Case C-492/23 on the interpretation of the relationship between the DSA (Digital Services Act) and GDPR, particularly in the context of online marketplaces. The non-binding opinion deals with the position of an online marketplace operator as a data controller and processor under GDPR as well as its potential responsibility for content shared by users under the DSA. The AG finds that such an operator (as a data controller) should verify the identity of content-uploading users as part of the security measures required under Article 24 GDPR, regardless of similar DSA obligations.
The CJEU’S General Court confirmed that the European Data Protection Board (EDPB) may instruct national supervisory authorities to conduct additional investigations to extend GDPR inspections. The decision substantively enhances EDPB’s corrective powers and contributes to the unification of cross-border GDPR enforcement.
The Irish Circuit Court awarded €7,500 to plaintiffs in a data protection breach case. This is the highest compensation granted so far for non-material damages under GDPR. The case at hand related to a data breach involving sensitive data related to abuse suffered by the plaintiff during her childhood. The court emphasized that such compensation is awarded only in cases of serious breaches, while noting that courts may give significant account to the subjective experience of affected individuals.
AI Guidance and DPA opinions
The Commission published draft Guidelines on prohibited AI practices. The AI Act Guidelines explain and provide practical examples of specific prohibited practices, such as harmful manipulation, social scoring, and real-time remote biometric identification.
The Commission has also published Guidelines on the definition of an AI system. The non-binding guidelines are crucial in the early phase of the AI Act’s implementation. They provide demonstrative examples of AI systems and examine seven key elements of the AI system definition (such as autonomy, adaptiveness and interaction with the environment) to determine whether a given system falls under the AI Act.
The Italian Data Protection Authority (Garante) temporarily blocks DeepSeek launch. The authority had previously requested information from DeepSeek regarding personal data processing in its chatbot, due to potential privacy risks, including data transfers to China. After the company’s response was deemed entirely unsatisfactory, the authority decided to take preventive measures.
The French Data Protection Authority (CNIL) has issued recommendations on GDPR-compliant AI development. The recommendations highlight key data protection considerations for the development of AI systems.
The EDPB has decided to expand the scope of its ChatGPT task force. The task force will no longer only address issues relevant to OpenAI but will also coordinate and inform data protection authorities of all important proceedings related to potential GDPR violations associated with the use of artificial intelligence, including potential investigations into DeepSeek.
The French Data Protection Authority (CNIL) has published the final version of its methodology for Transfer Impact Assessments (TIA). The authority provides a detailed overview of when a TIA is required, describes key steps for conducting it, and outlines the legal obligations of data exporters and importers. The methodology also includes a sample TIA with explanatory sections.
IP & AI news
The European Commission (DG CNECT) has taken steps towards a central registry for opting out from text and data mining (TDM). The Commission has announced a call for tenders for a feasibility study on the creation of a central registry where rights holders could opt out from TDM based on the copyright TDM exception. The study will assess the feasibility and implementation of a registry that would contain identifiers of protected works and metadata, thereby facilitating opt-out declarations and their recognition by AI developers.
The US Copyright Office has published the second part of its report on AI and copyright, focusing on the protection of works created by generative AI. The report confirms that copyright protection applies only to works where a human has made significant creative decisions, whereas prompt engineering alone cannot be considered sufficiently significant.
The European Copyright Society (ECS) has issued a (non-binding) opinion on copyright and generative AI. It highlights the most significant shortcomings of current European legislation and the insufficient enforcement of these rules.
Market updates
On February 10–11, 2025 the “AI Action” summit took place in Paris. EU announced €200 billion AI investment initiative. Discussions focused on the impact of artificial intelligence on international security, the economy, and public governance. During the summit, the EU Commission announced planned AI investments including InvestAI, a €200 billion initiative.